Description:
A denial of service vulnerability has been reported in the Cyrus IMAP e-mail server. Remote users can cause the mail server to crash.

It is reported that a remote user with a PHP-based IMAP client can eventually cause the Cyrus mail server to hang, requiring a hard server reboot to return to normal operation. This condition has reportedly been observed when using IMP and Jawmail webmail packages.

Impact:
A remote user can cause the e-mail server to crash, requiring a reboot to return to normal operation.

Subject: Possible Denial of Service with PHP and Cyrus IMAP on BSDi 4.2

Use of the php IMAP functions on BSDi webserver with Apache against a cyrus
server on BSDi 4.2 will eventually cause the mail server to hang, forcing a
hard reboot.
A BSDi 4.2 Cyrus server could be remotely DOS'd if external IMAP access is
available.
This has been experienced running IMP and Jawmail, two popular OSS webmail
packages which do not exhibit this behavior on other platforms.
This has been tested with the php compiled against c-client versions 2000
and 4.7, and with Cyrus 2.0.15 and 2.0.16 as the mail server.
The cyrus sever does not exhibit this behavior with regular mail clients.
It has also been tested with php 4.0.4pl1 and php 4.0.6
At this time, I am unable to determine if the issue is with the c-client or
with PHP.
M. Gamble
Echo Online Administration